ARTICLE
15 July 2026

DoD Suspends Phase II Of CMMC Program

BL
Butzel Long

Contributor

Founded in 1854, Butzel Long has played a prominent role in the development and growth of several major industries. Business leaders have turned to us for innovative, highly-effective legal counsel for over 170 years. We have a long and successful history of developing new capabilities and deepening our experience for our clients’ benefit. We strive to be on the cutting edge of technology, manufacturing, e-commerce, biotechnology, intellectual property, and cross-border operations and transactions.

The Department of Defense has suspended Phase II of its Cybersecurity Maturity Model Certification program, halting the planned November 2026 requirement for third-party cybersecurity assessments of defense contractors. While Phase I self-assessment requirements remain in effect, DoD has launched a 60-day review to address industry concerns about compliance costs and barriers to participation in the Defense Industrial Base.
United States Government, Public Sector
Butzel Long are most popular:
  • within Employment and HR, Intellectual Property, Litigation and Mediation & Arbitration topic(s)
  • with Inhouse Counsel
  • in United States
  • with readers working within the Consumer Industries industries

On July 13, 2026, the US Department of Defense (“DoD”), also known as the Department of War, announced that it was immediately suspending Phase II of the Department’s rollout of the Cybersecurity Maturity Model Certification (“CMMC”) program, which phase was to come into effect on November 10, 2026. This announcement, accompanied by memoranda to senior Pentagon leadership, represents a potentially seismic shift in DoD’s position with respect to the regulation of defense contractors’ cybersecurity posture.

As noted in a prior Butzel Client Alert, CMMC is a verification framework used by the US government to assess a contractor’s cybersecurity protections in order to protect sensitive government information, specifically Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”), from cyber threats. Phase I, which took effect on November 10, 2025, introduced CMMC Level 1 and Level 2 self-assessments as a condition of award for new contracts that included CMMC level requirements. Phase II was to require, as condition of award in certain solicitations, an assessment by an authorized CMMC Third-Party Assessment Organization (“C3PAO”).

As Butzel had previously reported, in the months following the rollout of CMMC, concerns had been raised by both government and industry about, among other things, the potential compliance costs incurred by contractors in meeting CMMC requirements. As DoD noted in announcing the suspension: “While the current CMMC program was designed to enhance DIB cybersecurity, instead it has created prohibitive compliance costs and bureaucratic burdens. Recent data, including reports from the Small Business Administration ("SBA"), confirmed that CMMC compliance is forcing innovative companies out of the Defense Industrial Base ("DIB") which will delay the delivery of critical capabilities to the warfighters.”

Accordingly, DoD announced the suspension of the transition to Phase II requirements, along with all pending and future CMMC implementation milestones, and initiated a 60-day study of the future of the CMMC program. Additionally, the Department is establishing a CMMC Reform Task Force to conduct a comprehensive review of the CMMC program, including the solicitation of industry feedback in response to a Request for Information (“RFI”) regarding contractor compliance hurdles. The Task Force is to deliver a report to the DoD Chief Information Office ("CIO") within 60 days. 

Notably, during the suspension, DoD will continue to enforce compliance with all Phase I self-assessment requirements, which “remain firmly in place.” Additionally, the Department made clear that all defense contractors and subcontractors remain contractually required to safeguard CUI in accordance with Defense Federal Acquisition Regulation Supplement ("DFARS") 252.204-7012, which requires adherence to National Institute of Standards and Technology ("NIST") SP 800-171, for contractors storing or handling CUI during contract performance.

Key Takeaways

  • Phase II implementation is suspended indefinitely. DoD will not proceed with the November 2026 transition requiring CMMC Level 2 C3PAO certifications.
  • CMMC Level 1 and Level 2 self-assessments remain in effect. Contractors must continue to demonstrate compliance through self-assessment mechanisms.
  • NIST SP 800-171 compliance remains a baseline requirement. The suspension does not eliminate cybersecurity obligations applicable to contractors handling CUI.
  • DFARS 252.204-7012 remains fully effective. Contractors must continue safeguarding covered defense information and complying with cyber incident reporting requirements.
  • DoD is creating a “CMMC Reform Task Force” to conduct a sixty (60) day review of the program and recommend alternatives intended to reduce barriers to participation in the DIB.

Accordingly, while defense contractors and subcontractors should monitor the aforementioned developments carefully, including looking for the opportunity to provide feedback to the CMMC Reform Task Force, they must also continue to remain compliant with existing cybersecurity compliance obligation, which will continue to remain in effect.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More